Re: Sending Referer [#144]

I'm not crazy about this approach, but it may be workable.

p2 section 9.6 is currently:

>    The request-header field "Referer" [sic] allows the client to
>    specify, for the server's benefit, the address (URI) of the  
> resource
>    from which the request-target was obtained (the "referrer",  
> although
>    the header field is misspelled.)  The Referer request-header  
> allows a
>    server to generate lists of back-links to resources for interest,
>    logging, optimized caching, etc.  It also allows obsolete or  
> mistyped
>    links to be traced for maintenance.  The Referer field MUST NOT be
>    sent if the request-target was obtained from a source that does not
>    have its own URI, such as input from the user keyboard.
>
>      Referer        = "Referer" ":" OWS Referer-v
>      Referer-v      = absolute-URI / partial-URI
>
>    Example:
>
>      Referer: http://www.example.org/hypertext/Overview.html
>
>    If the field value is a relative URI, it SHOULD be interpreted
>    relative to the request-target.  The URI MUST NOT include a  
> fragment.
>    See Section 11.2 for security considerations.


Based on discussion so for, here's a straw-man:

"""
The request-header field "Referer" [sic] allows the client to specify,  
for the server's benefit, the address (URI) of the resource from which  
the request-target was obtained (the "referrer", although the header  
field is misspelled.).

The Referer request-header allows servers to generate lists of back- 
links to resources for interest, logging, optimized caching, etc. It  
also allows obsolete or mistyped links to be traced for maintenance.  
Some servers use Referer as a means of controlling where they allow  
links from (so-called "deep linking"), but it should be noted that  
legitimate requests are not required to contain a Referer header field.

If the request-target was obtained from a source that does not have  
its own URI (e.g., input from the user keyboard), the Referer field  
MUST either be sent with the value "about:blank", or not be sent at  
all. Note that this requirement does not apply to sources with non- 
HTTP URIs (e.g., FTP).

   Referer        = "Referer" ":" OWS Referer-v
   Referer-v      = absolute-URI / partial-URI

Example:

   Referer: http://www.example.org/hypertext/Overview.html

If the field value is a relative URI, it SHOULD be interpreted  
relative to the request-target. The URI MUST NOT include a fragment.  
See Section 11.2 for security considerations.
"""



On 02/06/2009, at 7:14 AM, Adam Barth wrote:

> On Mon, Jun 1, 2009 at 12:14 PM, Julian Reschke  
> <julian.reschke@gmx.de> wrote:
>> Adam Barth wrote:
>>> On Mon, Jun 1, 2009 at 11:40 AM, Adam Barth <w3c@adambarth.com>  
>>> wrote:
>>>> With regards to the 'null' value, we should try to pick a value  
>>>> that's
>>>> friendly to regular expressions (i.e., avoids . / [ and similar
>>>> characters) because many web application firewalls (who would use  
>>>> this
>>>> value) express their rules in terms of regular expressions.
>>>
>>> One possible value we could use is
>>>
>>> about:blank
>
> [...]
>
>>> about:noreferrer
>>
>> That will be tricky to use, as it would be a downref to a Proposed  
>> Standard
>> (*). HTTPbis will be (at least) one step ahead on the standards  
>> ladder).
>
> We need only suggest (require?) the literal "about:blank" without a
> downref.  That is syntactically an absolute URI, and the use should
> not conflict with any other use of that sequence of bytes.
>
> Adam
>


--
Mark Nottingham     http://www.mnot.net/

Received on Sunday, 7 June 2009 23:21:27 UTC